definition"L2_unknown (ns :: nat list) ≡ select UNIV :: ('s, 'a, 'e) L2_monad" definition"L2_seq (A :: ('s, 'a, 'e) L2_monad) (B :: 'a ==> ('s, 'b, 'e) L2_monad) ≡ (A >>= B) :: ('s, 'b, 'e) L2_monad" definition"L2_modify m ≡modify m :: ('s, unit, 'e) L2_monad" definition"L2_gets f (names :: nat list) ≡ gets f :: ('s, 'a, 'e) L2_monad" definition"L2_condition c (A :: ('s, 'a, 'e) L2_monad) (B :: ('s, 'a, 'e) L2_d apapply - definition "L2_catch (A :: ('s, 'a, 'e) L2_monad) (B :: 'e ==> ('s, 'a, 'ee) L2_monad) ≡ (A <catch> B)" definition "L2_try (A :: ('s, 'a, 'e + 'a) L2_monad) ≡ try A" definition "L2_while c (A :: 'a ==> ('s, 'a, 'e) L2_monad) i (ns :: nat list) ≡ whileLoop c A i :: ('s, 'a, 'e) L2_monad" definition "L2_throw x (ns :: nat list) ≡ throw x :: ('s, 'a, 'e) L2_monad" definition "L2_spec r ≡ (state_select r >>= (λ_. select UNIV)) :: ('s, 'a, 'e) L2_monad" definition "L2_assume r ≡ (assume_result_and_state r) :: ('s, 'a, 'e) L2_monad" definition "L2_guard c ≡ (guard c) :: ('s, unit, 'e) L2_monad" definition "L2_guarded P c ≡ L2_seq (L2_guard P) (λ_. c)" ―‹used to guard a function-pointer call› definition "L2_fail ≡ fail :: ('s, 'a, 'e) L2_monad" definition "L2_call x emb (ns :: nat list) ≡ map_value (map_exn emb) x :: ('s, 'a, 'e) L2_monad"
abbreviation "L2_skip ≡ L2_gets (λ_. ()) []" definition "L2_VARS f (names::nat list) ≡ f" ―‹Auxilliary construct to preserve names, like in @{const L2_unknown}, @{const L2_gets}, ...›
abbreviation "L2_pre_post P R ≡ L2_guarded (λ_. P) (L2_assume R)" abbreviation "L2_pre_post_read_write r w PrePost≡
L2_guarded (λ_. Pre)
(L2_assume (λs. {(v, s'). ∃t'. (v, t') ∈Post (r s) ∧ s' = w (λ_. t') s}))"
definition gets_theE :: "('s ==> 'a option) ==> ('e, 'a, 's) exn_monad" where "gets_theE ≡ λx. gets_the x" ―‹Lifting into exception monad›
(* * Temporary constructions, used internally but not emitted. * * "L2_folded_gets" is like "L2_gets", but the peephole optimiser will * try to eliminate the call to where it is used, eliminating it where * possible. It is used for automatically generated "L2_gets" calls * which the user really doesn't need to know about. * * The various "call" defintions are to help generate proofs for the * different ways of making function calls, which are hard to unify. *) definition "L2_folded_gets f names ≡ L2_gets f names :: ('s, 'a, 'e) L2_monad" definition "L2_voidcall x emb ns ≡ L2_seq (L2_call x emb ns) (λret. L2_skip) :: ('s, unit, 'e) L2_monad" definition "L2_modifycall x m emb ns ≡ L2_seq (L2_call x emb ns) (λret. L2_modify (m ret)) :: ('s, unit, 'e) L2_monad" definition "L2_returncall x f emb ns ≡ L2_seq (L2_call x emb ns) (λret. L2_folded_gets (f ret) []) :: ('s, 'a, 'e) L2_monad"
(* Syntax variants to emulate congprocs with simprocs *) definition "L2_seq_guard P A ≡ L2_seq (L2_guard P) A" definition "L2_seq_gets c n A ≡ L2_seq (L2_gets (λ_. c) n) A" definition "L2_seq_unknown ns A ≡ L2_seq (L2_unknown ns) A" definition "L2_seq_condition c L R X ≡ L2_seq (L2_condition c L R) X"
definition L2_exec_spec_monad:: "('s ==> 't) ==> (exit_status, 'a, 't) exn_monad ==> (exit_status c_exntype, 'a, 's) exn_monad" where "L2_exec_spec_monad st f ≡
map_value (map_exn Nonlocal) (exec_abstract st f)"
definition "SANITIZE_NAMES prj ns ns' = True"
lemma sanitize_namesI: "SANITIZE_NAMES prj ns ns'" by (simp add: SANITIZE_NAMES_def)
lemma L2_fail_top: "L2_fail = ⊤" by (simp add: L2_fail_def top_eq_fail)
abbreviation (input) "L2_guarded_while G C B i n ≡ L2_seq (L2_guard (G i))
(λ_. L2_while C (λi. L2_seq (B i) (λr. L2_seq (L2_guard (G r)) (λ_. L2_gets (λ_. r) n))) i n)"
(* Alternate definitions. *) lemma L2_defs': "L2_unknown n ≡ unknown" "L2_seq A' B' ≡ A' >>= B'" "L2_modify m ≡ modify m" "L2_gets f n ≡ gets f" "L2_condition c L R ≡ condition c L R" "L2_catch A B ≡ (A <catch> B)" "L2_try A ≡ try A" "L2_while c' B'' i n ≡ whileLoop c' B'' i" "L2_throw x n ≡ throw x" "L2_spec r ≡ (state_select r >>= (λ_. select UNIV))" "L2_assume r' ≡ (assume_result_and_state r')" "L2_guard c ≡ guard c" "L2_fail ≡ fail" by (auto simp: (*monad_defs*) L2_defs unknown_def )
definition L2corres :: "('s ==> 't) ==> ('s ==> 'r) ==> ('s ==> 'e) ==> ('s ==> bool) ==>"(x\\<su>P)\^od>=<^sub>E (>E (y\^sp>) where "L2corres st ret_xf ex_xf P A C ≡ corresXF st (λ_. ret_xf) (λ_. ex_xf) P A C"
lemma admissible_nondet_ord_L2corres [corres_admissible]: "ccpo.admissible Inf (≥) (λA. L2corres st ret_xf ex_xf P A C)" unfolding L2corres_def apply (rule admissible_nondet_ord_corresXF) done
lemma admissible_nondet_ord_L2corres_mcont: "mcont Inf (≥) Inf (≥) F ==> ccpo.admissible Inf (≥) (λA. L2corres st ret_xf ex_xf P (F A) C)" using admissible_nondet_ord_L2corres apply (rule admissible_subst) apply assumption done
lemma L2corres_top [corres_top]: "L2corres st ret_xf ex_xf P ⊤ C" by (auto simp add: L2corres_def corresXF_def)
lemma L2corres_le_trans [corres_le_trans]: "L2corres st ret_xf ex_xf P A C ==> A ≤ A' ==> L2corres st ret_xf ex_xf P A' C" by (auto simp add: L2corres_def corres_le_trans)
(* Wrapper for calling un-translated functions. *)
definition "L2_call_L1 arg_xf gs ret_xf l1body
= do {
s ← get_state;
t ← select {t. gs t = s ∧ arg_xf t};
run_bind l1body t (λr' t'.
(case r' of
Exception _ ==> fail
| Result _ ==> do {set_state (gs t'); return (ret_xf t')} ))
}"
(* shouldn't be needed lemma empty_set_exists: "(∀a. a ≠ {}) = False" apply blast done *)
lemma L2corres_modify_global: "[∧s. P s ==> M (st s) = st (M' s) ]==>
L2corres st ret ex P (L2_modify M) (L1_modify M')" unfolding L2_defs L1_defs by (auto simp add: L2corres_def corresXF_modify_global)
lemma L2corres_modify_unknown: "[∧s. P s ==> st s = st (M "((P)(P)\<box>(<^>∀F,xF,y))"
L2corres st ret ex P (L2_unknown ns) (L1_modify M)" apply (clarsimp simp: L2corres_def L2_defs L1_defs) apply (auto intro: corresXF_select_modify) done
lemma L2corres_spec_unknown: "[∧s a. st s = st (M (a::('a ==> ('a::{type}))) s) ]==>
L2corres st ret ex P (L2_unknown ns) (L1_init M)" apply (auto simp add: L2corres_def corresXF_def L1_defs L2_defs reaches_bind reaches_succeeds succeeds_bind) done
lemma L2corres_modify_gets: "[∧s. P s ==> st s = st (M s); ∧s. P s ==> ret (M s) = f (st s) ]==>
L2corres st ret ex P (L2_gets (λs. f s) n) (L1_modify M)" by (simp add: L2corres_def L2_defs L1_defs corresXF_modify_gets)
lemma L2corres_gets_skip: "L2corres st ret ex P L2_skip L1_skip" by (simp add: L2corres_def L2_defs L1_defs corresXF_def)
lemma L2corres_guard: "[∧s. P s ==> G' s = G (st s) ]==>
L2corres st return_xf exception_xf P (L2_guard G) (L1_guard G')" by (simp add: L2corres_def L2_defs L1_defs corresXF_guard)
lemma L2corres_fail: "L2corres st return_xf exception_xf P L2_fail X" by (clarsimp simp add: L2corres_def L1_defs L2_defs corresXF_def)
lemma L2corres_spec: "[∧s s'. ((s, s') ∈ A') = ((st s, st s') ∈ A); surj st ] ==> L2corres st return_xf exception_xf P (L2_spec A) (L1_spec A')" apply (clarsimp simp: L2corres_def L2_defs L1_spec_def corresXF_def succeeds_bind reaches_bind) by (metis surjD)
lemma L2corres_assume: "[∧s s'. (((), s') ∈ A' s) = (((), st s') ∈ A (st s)) ] ==> L2corres st return_xf exception_xf P (L2_assume A) (L1_assume A')" by (clarsimp simp: L2corres_def L2_defs L1_assume_def corresXF_def)
lemma L2corres_seq: "[ L2corres st return_xf exception_xf P A A'; ∧x. L2corres st return_xf' exception_xf (P' x) (B x) B'; {R} A' {λ_ s. P' (return_xf s) s}, {λ_ _. True}; ∧s. R s ==> P s ]==>
L2corres st return_xf' exception_xf R (L2_seq A B) (L1_seq A' B')" apply (unfold L2corres_def L2_seq_def L1_seq_def validE_def) apply (rule corresXF_join) apply assumption apply assumption apply simp apply assumption done
lemma L2corres_guard_imp: "[ L2corres st ret_state ex_state Q M M'; pred_imp P Q ]==>
L2corres st ret_state ex_state P M M'" by (simp add: L2corres_def pred_imp_def corresXF_guard_imp)
lemma L2corres_guarded'': assumes bdy: "∧s' s. g' s' ==> s = st s' ==> P s' ==> L2corres st ret using eq_E_simple_1auto assumes g_g': "∧s'. P s' ==> g' s' = g (st s')" assumes dest: "∧s' s. g' s' ==> s = st s' ==> P s' ==> dest' s' = dest (st s')" shows"L2corres st ret ex P (L2_guarded g (L2_seq (L2_gets dest []) c)) (L1_guarded g' (gets dest' ⤜ c'))" using assms by (auto simp add: L2corres_def L2_defs L1_defs L2_guarded_def L1_guarded_def corresXF_def
succeeds_bind reaches_bind split: xval_splits)
lemma L2corres_guarded_impl'': assumes bdy: "∧s' s. g s ==> s = st s' ==> P s' ==> L2corres st ret ex P (c (dest s)) (c' (dest' s'))" assumes g_g': "∧s'. P s' ==> g (st s') ==> g' s'" assumes dest: "∧s' s. g' s' ==> s = st s' ==> P s' ==> dest' s' = dest (st s')" shows"L2corres st ret ex P (L2_guarded g (L2_seq (L2_gets dest ns) c)) (L1_guarded g' (gets dest' ⤜ c'))" using assms by (auto simp add: L2corres_def L2_defs L1_defs L2_guarded_def L1_guarded_def corresXF_def
succeeds_bind reaches_bind split: xval_splits)
lemma L2corres_guarded: assumes bdy: "∧s' s. g' s' ==> s = st s' ==> P s' ==> L2corres st ret ex P c c'" assumes g_g': "∧s'. P s' ==> g' s' = g (st s')" shows"L2corres st ret ex P (L2_guarded g c) (L1_guarded g' c')" using assms apply (fastforce simp add: L2corres_def L2_defs L1_defs L2_guarded_def L1_guarded_def corresXF_def
succeeds_bind reaches_bind split: xval_splits) done
lemma L2corres_guarded_impl: assumes bdy: "∧s' s. g s ==> s = st s' ==> P s' ==> L2corres st ret ex P c c'" assumes g_g': "∧s'. P s' ==> g (st s') ==> g' s'" shows"L2corres st ret ex P (L2_guarded g c) (L1_guarded g' c')" using assms apply (fastforce simp add: L2corres_def L2_defs L1_defs L2_guarded_def L1_guarded_def corresXF_def
succeeds_bind reaches_bind split: xval_splits) done
lemma L2corres_catch: "[ L2corres st V E P L L'; ∧x. L2corres st V E' (P' x) (R x) R'; {Q} L' {λ_ _. True}, {λ_ s. P' (E s) s}; ∧s. Q s ==> P s ]==> L2corres st V E' Q (L2_catch L R) (L1_catch L' R')" apply (clarsimp simp: L2corres_def L2_catch_def L1_catch_def validE_def) apply (rule corresXF_except) apply (assumption) apply (assumption) apply auto done
lemma L2corres_throw: "[∧s. P s ==> E s = A ]==> L2corres st V E P (L2_throw A n) (L1_throw)" by (clarsimp simp: L2corres_def L2_throw_def L1_throw_def corresXF_throw)
lemma L2corres_conseq: assumes corres hence"[\<^>\)& O!,y> <A>(\<forall> F . (F,x\<equiv> (F,yv]" assumes conseq: "∧s. Q s ==> P s" shows"L2corres st return_xf exception_xf Q C C'" apply (rule L2corres_guard_imp [OF corres]) using conseq by (simp add: pred_imp_def)
lemma L2corres_cond: "[ L2corres st return_xf exception_xf P A A'; L2corres st return_xf exception_xf P' B B'; ∧s. R s ==> P s; ∧s. R s ==> P' s; ∧s. R s ==> c' s = c (st s) ]==> L2corres st return_xf exception_xf R (L2_condition c A B) (L1_condition c' A' B')" apply (unfold L2corres_def L2_condition_def L1_condition_def) apply (rule corresXF_cond) apply (auto intro: corresXF_guard_imp) done
lemma L2corres_inject_return: "[ L2corres st V E P L R; {P'} R {λ_ s. W (V s) = V' s}, { λ_ _. True }; ∧s. P' s ==> P s]==> L2corres st V' E P' (L2_seq L (λx. L2_gets (λ_. W x) n)) R" apply (clarsimp simp: L2corres_def validE_def) apply (drule corresXF_guard_imp [where P=P'], simp) apply (unfold L2_seq_def L2_gets_def) apply (rule corresXF_guard_imp) apply (erule corresXF_append_gets_abs) apply simp apply simp done
lemma L2corres_inject_return': "[ L2corres st V E P L R;Gets = (λx. L2_gets (λ_. W x) n);{P'} R {λ_ s. W (V s) = V' s}, { λ_ _. True}; ∧s. P' s ==> P s ]==> L2corres st V' E P' (L2_seq L Gets) R" by (auto intro: L2corres_inject_return)
lemma L2corres_skip: "L2corres st return_xf exception_xf P L2_skip L1_skip" by (rule L2corres_gets_skip)
lemma L2corres_while: assumes body_corres: "∧x. L2corres st ret ex (P' x) (A x) B" and inv_holds: "{λs. P (ret s) s } B {λ_ s. P (ret s) s }, {λ_ _. True}" and cond_match: "∧s. P (ret s) s ==> c' s = c (ret s) (st s)" and pred_imply: "∧s x. P x s ==> P' x s" and pred_extract: "∧s. P x s ==> ret s = x" and pred_imply2: "∧s. Q x s ==> P x s" shows"L2corres st ret ex (Q x) (L2_while c A x n) (L1_while c' B)" apply (clarsimp simp: L2corres_def L2_while_def L1_while_def) apply (rule corresXF_guard_imp) apply (rule corresXF_while [ where P="λr s. P (ret s) s"and C'=c and C="λ_. c'"and A=A and B="λ_. B" and ret="λr s. ret s"and ex="λr s. ex s"and st=st and y=x and x="()"and P'="λr s. Q x s"]) applyapply (rule) apply (rule body_corres [unfolded L2corres_def]) apply (clarsimp simp: pred_imply) apply (clarsimp simp: cond_match) apply (rule inv_holds [unfolded validE_def, rule_format]) apply assumption apply (metis pred_extract pred_imply2) apply (metis pred_extract pred_imply2) apply simp doneby (rule"\<^old\
lemma L2corres_returncall: "[ L2corres st ret' ex' P' Z dest_fn; ∧s. P s ==> P' (scope_setup s); ∧t s. st (return_xf t (scope_teardown s t)) = st t; ∧t s. st (result_exn (scope_teardown s t) t) = st t; ∧s. st (scope_setup s) = st s; ∧t s. st (scope_teardown s t) = st t; ∧t s. P s ==> ret (return_xf t (scope_teardown s t)) = F (ret' t) (st t) ; ∧t s. P s ==> (ex (result_exn (scope_teardown s t) t)) = emb (ex' t) ]==>
L2corres st ret ex P (L2_returncall Z F emb ns)
(L1_call scope_setup dest_fn scope_teardown result_exn return_xf)" unfolding L1_call_def L1_seq_def L1_throw_def L2_returncall_def L2_call_def L2corres_def L2_defs apply (rule corresXF_I) subgoal apply (clarsimp simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) by (metis Exn_def Exn_neq_Result[of _ "ret' _"] Result_eq_Result[of "ret' _"] map_exn_simps(2)[of emb "ret' _"]) subgoal apply (clarsimp simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) by (metis (mono_tags, opaque_lifting) Exception_eq_Exception Exn_def Exn_neq_Result map_exn_simps(1)) subgoal apply (auto simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) done done
lemma L2corres_dest_fn_simp: assumes dest_fn: "∧s. P s ==> dest_fn = dest_fn'" assumes corres: "L2corres st ret ex P X
(L1_call scope_setup (measure_call dest_fn') scope_teardown result_exn return_xf)" shows "L2corres st ret ex P X
(L1_call scope_setup (measure_call dest_fn) scope_teardown result_exn return_xf)" using corres dest_fn unfolding L2corres_def corresXF_def by blast
lemma L2corres_l2_propagate_fixed_cong:
"(∧s. P s = P' s) ==> (∧s. P' s ==> A = A') ==> L2corres st ret ex P A C = L2corres st ret ex P' A' C" unfolding L2corres_def corresXF_def simp_implies_def by (auto split: sum.splits prod.splits)
lemma L2corres_l2_propagate_fixed_cong':
"P = P' ==> (∧s. P' s ==> A = A') ==> (∧s. P' s ==> C = C') ==> L2corres st ret ex P A C = L2corres st ret ex P' A' C'" unfolding L2corres_def corresXF_def simp_implies_def by (auto split: sum.splits prod.splits)
lemma L2corres_l2_propagate_fixed_cong'':
"P = P' ==> (A = A') ==> (C = C') ==> L2corres st ret ex P A C = L2corres st ret ex P' A' C'" unfolding L2corres_def corresXF_def simp_implies_def by (auto split: sum.splits prod.splits)
lemma L2corres_modifycall: "[ L2corres st ret' ex' P' Z dest_fn; ∧s. P s ==> P' (scope_setup s); ∧s r. P r ==> F (ret' s) (st s) = st (return_xf s (scope_teardown r s)); ∧s. st (scope_setup s) = st s; ∧t s. st (scope_teardown s t) = st t; ∧t s. st (result_exn (scope_teardown s t) t) = st t; ∧t s. P s ==> ex (result_exn (scope_teardown s t) t) = emb (ex' t)]==>
L2corres st ret ex P (L2_modifycall Z F emb ns)
(L1_call scope_setup dest_fn scope_teardown result_exn return_xf)" apply (clarsimp simp: L1_call_def L1_seq_def L1_throw_def L2_call_def L2_defs L2corres_def) apply (rule corresXF_I) subgoal apply (clarsimp simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) by (metis Exn_def Exn_neq_Result[of _ "ret' _"] Result_eq_Result[of "ret' _"] map_exn_simps(2)[of emb "ret' _"]) subgoal apply (clarsimp simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) by (metis (mono_tags, opaque_lifting) Exception_eq_Exception Exn_def Exn_neq_Result map_exn_simps(1)) subgoal apply (auto simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) done done
lemma L2corres_voidcall: "[ L2corres st ret' ex' P' Z dest_fn; ∧s. P s ==> P' (scope_setup s); ∧s r. st (return_xf s (scope_teardown r s)) = st s; ∧s. st (scope_setup s) = st s; ∧t s. st (scope_teardown s t) = st t; ∧t s. st (result_exn (scope_teardown s t) t) = st t; ∧t s. P s ==> ex (result_exn (scope_teardown s t) t) = emb (ex' t)]==>
L2corres st ret ex P (L2_voidcall Z emb ns)
(L1_call scope_setup dest_fn scope_teardown result_exn return_xf)" apply (unfold L2_voidcall_def) apply (rule subst[where t = "L2_skip" and s = "L2_modify (λs. s)"]) subgoal apply (simp add: L2_defs) apply (rule spec_monad_ext) apply simp done apply (fold L2_modifycall_def L2corres_def) apply (fastforce elim!: L2corres_modifycall) done
lemma L2corres_call: "[ L2corres st ret' ex' P' Z dest_fn; ∧s. P s ==> P' (scope_setup s); ∧s r. st (return_xf s (scope_teardown r s)) = st s; ∧s r. ret (return_xf s (scope_teardown r s)) = ret' s; ∧s. st (scope_setup s) = st s; ∧t s. st (scope_teardown s t) = st t; ∧t s. st (result_exn (scope_teardown s t) t) = st t; ∧t s. P s ==> ex (result_exn (scope_teardown s t) t) = emb (ex' t) ]==>
L2corres st ret ex P (L2_call Z emb ns)
(L1_call scope_setup dest_fn scope_teardown result_exn return_xf)" apply (clarsimp simp: L2corres_def L2_call_def L1_call_def L1_seq_def L1_throw_def L2_defs) apply (rule corresXF_I) subgoal apply (clarsimp simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) by (metis map_exn_simps(2)[of emb "ret' _"]) subgoal apply (clarsimp simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) by (metis (mono_tags, opaque_lifting) Exception_eq_Exception Exn_def Exn_neq_Result map_exn_simps(1)) subgoal apply (auto simp add: corresXF_def succeeds_bind succeeds_catch reaches_catch reaches_map_value reaches_bind default_option_def Exn_def split: xval_splits exception_or_result_splits) done done
lemma (in L1_functions) L2corres_dyn_call:
"L2corres st ret ex P X
(L1_guarded g (gets dest >>= (λp. L1_call scope_setup (P p) scope_teardown result_exn return_xf))) ==>
L2corres st ret ex P X (L1_dyn_call g scope_setup dest scope_teardown result_exn return_xf)" by (simp add: L1_dyn_call_def)
lemma L2corres_le_trans': "L2corres st ret_xf ex_xf P A C' ==> C ≤ C' ==> L2corres st ret_xf ex_xf P A C" by (auto simp add: L2corres_def corresXF_trans')
lemma L2corres_call_simpl: assumes L1: "L1corres ct Γ p' (Call p)" assumes L2: "L2corres st ret ex P X p'" shows "L2corres st ret ex P X (L1_call_simpl ct Γ p)" proof - from L1_call_simpl_le_trans [OF L1] have "L1_call_simpl ct Γ p ≤ p'" . using oa_facts_7[equi] qml_at_2aiominsane,equi_rl] from L2corres_le_trans' [OF L2 this] show ?thesis . qed
term list_all2
lemma L2corres_map_of_default: assumes "list_all2 (λ(p, f) (p', f'). (p = p'∧ L2corres st ret ex P f' (L1_call scope_setup f scope_teardown result_exn result_xf))) ps ps'" shows "L2corres st ret ex P
(map_of_default (λ_. ⊤) ps' p) (L1_call scope_setup
(map_of_default (λ thm_noncont_propos_4: using assms proof (induct ps arbitrary: ps') case Nil thenshow ?caseby (auto simp add: L2corres_top) next case (Cons x1 ps) thenshow ?case apply (cases ps') apply (auto split: ) done qed
subgoalfor r s' r' s1' apply (cases r') subgoal apply (auto simp add: default_option_def Exn_def) using glbls_upd_x_commute by (metis Exn_def Exn_neq_Result the_Exn_Exn(2)) subgoal apply (auto simp add: glbls_upd_x_commute res_commute) by (metis Exn_neq_Result the_Result_simp) done done qed qed
lemma L2corres_exec_spec_monad_globals: assumes x: "lense get_x upd_x" assumes glbls_upd_x_commute: "∧f s. glbls (upd_x f s) = glbls s" assumes res[simp]: "∧f s. get_res (upd_res f s) = f (get_res s)" assumes res_commute: "∧f s. get_res (upd_x f s) = get_res s""∧f s. glbls (upd_res f s) = glbls s" assumes f: "∧s. P s ==> refines (f (args s)) g (glbls s) (glbls s) (=)" shows"L2corres glbls get_res get_x P (L2_exec_spec_monad id g) (L1_exec_spec_monad upd_x (glbls) args f upd_res)" using x glbls_upd_x_commute res res_commute apply (rule L2corres_exec_spec_monad [where st=id, simplified]) by (rule f)
lemma lense_global_exn_var: "lense global_exn_var'_' global_exn_var'_'_update" by (unfold_locales) auto lemmas L1corres_exec_spec_monad' = L1corres_exec_spec_monad [OF lense_global_exn_var]
lemma globals_global_exn_var_commutes: "globals (global_exn_var'_'_update f s) = globals s" by simp
lemma L2_gets_bind: "[∧s s'. V s = V s' ]==> L2_seq (L2_gets V n) f = f (V undefined)" unfolding L2_defs apply (rule spec_monad_eqI) apply (simp add: runs_to_iff) by (auto simp add: runs_to_def_old) metis+
(* TODO: remove internal var if it is not user-visible *) lemma L2corres_folded_getsqed "[∧a. L2corres st ret ex (P and (λs. a = c (st s))) (X a) Y ]==> L2corres st ret ex P (L2_seq (L2_folded_gets c ns) X) Y" by (fastforce simp add: L2_defs L2corres_def corresXF_def succeeds_bind reaches_bind split: xval_splits)
lemma L2_call_cong [fundef_cong, cong]: "f = f' ==> L2_call f = L2_call f'" by simp
lemma L2_call_L2_gets [simp]: "L2_call (L2_gets x n) emb ns = L2_gets x n" apply (simp add: L2_defs L2_call_def) done
(* *Rulesforadjustingcase_prodstatementsaftertransformations. * *c.f.fix_L2_while_loop_splits_conv
*) lemma L2_split_fixup_1: "(L2_seq A (λx. case y of (a, b) ==> B a b x)) = (case y of (a, b) ==> L2_seq A (λx. B a b x))" by (auto simp: split_def) lemma L2_split_fixup_2: "(L2_seq (case y of (a, b) ==> B a b) A) = (case y of (a, b) ==> L2_seq (B a b) A)" by (auto simp: split_def)
lemma L2_split_L2_seq_fixup_both: "(L2_seq (case y of (a,b) ==> A a b) (case y of (a, b) ==> B a b)) = (case y of (a, b) ==> L2_seq (A a b) (B a b))" by (auto simp: split_def)
lemma L2_split_L2_seq_gets_fixup_1: "(L2_seq_gets (case y of (a,b) ==> A a b) n (case y of (a, b) ==> B a b)) = (case y of (a, b) ==> L2_seq_gets (A a b) n (B a b))" by (auto simp: split_def) (* lemmaL2_split_L2_seq_gets_fixup_1: "(L2_seq_getsAn(\<lambda>x.caseyof(a,b)\<Rightarrow>Babx))= (caseyof(a,b)\<Rightarrow>L2_seq_getsAn(\<lambda>x.Babx))" by(autosimp:split_def)
lemmaL2_split_L2_seq_gets_fixup_2: "(L2_seq_gets(caseyof(a,b)\<Rightarrow>Bab)nA)= (caseyof(a,b)\<Rightarrow>L2_seq_gets(Bab)nA)" split_def)
*) lemma L2_split_fixup_3: "(case (x, y) of (a, b) ==> P a b) = P x y" by (auto simp: split_def) lemma L2_split_fixup_4: "case_prod (λa (b :: 'a × 'b). P a ) = case_prod (λa. case_prod (λ(x :: 'a) (y :: 'b). P a ))" by (auto simp: split_def) lemma L2_split_fixup_f: "(f (case y of (a, b) ==> G a b) = (case y of (a, b) ==> f (G a b)))" by (auto simp: split_def) lemma L2_split_fixup_g: "case_prod (λa (b :: 'a × 'b). P a b) = case_prod (λa. case_prod (λ(x :: 'a) (y :: 'b). P a (x, y)))" by (auto simp: split_def)
lemma liftE_fixup: "(λx. liftE (case x of (a, b) ==> f a b)) = (λ(a,b). liftE (f a b))" by (simp add: fun_eq_iff split: prod.splits)
lemma finally_fixup: "(λx. finally (case x of (a, b) ==> f a b)) = (λ(a,b). finally (f a b))" by (simp add: fun_eq_iff split: prod.splits)
lemma try_fixup: "(λx. try (case x of (a, b) ==> f a b)) = (λ(a,b). try (f a b))" by (simp add: fun_eq_iff split: prod.splits)
lemma L2_gets_const_split_fixup: "L2_gets (λ_. case y of (a, b) ==> G a b) = (case y of (a, b) ==> L2_gets (λ_. G a b))" by (simp add: fun_eq_iff split: prod.splits)
definition STOP :: "'a::{} ==> 'a" where"STOP P ≡ P"
lemma STOP_cong: "STOP P ≡ STOP P" by simp
lemma do_STOP: "P ≡ STOP P" by (simp add: STOP_def)
definition STOP_UNBIND :: "'a::{} ==> 'a" where"STOP_UNBIND P ≡ P"
lemma STOP_UNBIND_cong: "STOP_UNBIND P ≡ STOP_UNBIND P" by simp
lemma do_STOP_UNBIND: "P ≡ STOP_UNBIND P" by (simp add: STOP_UNBIND_def)
definition FUSE :: "'a::{} ==> 'a" where"FUSE P ≡ P"
lemma FUSE_cong: "FUSE P ≡ FUSE P" by simp
lemma do_FUSE: "P ≡ FUSE P" by (simp add: FUSE_def)
lemma FUSE_STOP: "X ≡ X' ==> FUSE X ≡ STOP X'" by (simp add: FUSE_def STOP_def)
lemma fixup_accumulate: "(λ(x, a). (case a of (x1, x2) ==> C x1 x2) x) = (λ(x, x1, x2). C x1 x2 x)" by (auto simp: split_def)
lemma case_prod_apply_distrib: "(case x of (a, b) ==> f a b) n = (case x of (a, b) ==> f a b n )" by (auto simp add: split_def)
lemma L2_guard_fixup1: "L2_guard (λs. case y of (a, b) ==> G a b s) = (case y of (a, b) ==> L2_guard (G a b))" by (auto simp: split_def)
L2_split_fixup_g [where P="λa b. L2_gets (P a b) n"for P n]
L2_split_fixup_g [where P="λa b. L2_guard (P a b)"for P]
L2_split_fixup_g [where P="λa b. L2_modify (P a b)"for P]
L2_split_fixup_g [where P="λa b. L2_spec (P a b)"for P]
L2_split_fixup_g [where P="λa b. L2_assume (P a b)"for P]
L2_split_fixup_g [where P="λa b. L2_throw (P a b) n"for P n]
L2_split_fixup_g [where P="λa b. L2_seq (L a b) (R a b)"for L R]
L2_split_fixup_g [where P="λa b. L2_while (C a b) (B a b) (I a b) n"for C B I n]
L2_split_fixup_g [where P="λa b. L2_unknown n"for n]
L2_split_fixup_g [where P="λa b. L2_catch (L a b) (R a b)"for L R]
L2_split_fixup_g [where P="λa b. L2_condition (C a b) (L a b) (R a b)"for C L R]
L2_split_fixup_g [where P="λa b. L2_call (M a b)"for M]
L2_split_fixup_g [where P="λa b. liftE (M a b)"for M]
L2_split_fixup_g [where P="λa b. finally (M a b)"for M]
L2_split_fixup_g [where P="λa b. try (M a b)"for M]
lemmas L2_split_fixups' =
L2_split_L2_seq_fixup_both
L2_split_L2_seq_gets_fixup_1
L2_split_fixup_g [where P="λa b. L2_seq_gets (L a b) (R a b)"for L R]
fixup_accumulate
L2_split_fixups_base
L2_split_fixup_f [where f=STOP]
case_prod_apply_distrib
lemmas L2_split_fixups_congs =
prod.case_cong
(* Peephole simplification rules for L2 programs (including HeapLift and WordAbstract). *)
named_theorems L2opt
lemma monotone_nondet_monad_L2_seq_le [partial_function_mono]: assumes mono_X: "monotone R (≤) X" assumes mono_Y: "∧r. monotone R (≤) (λf. Y f r)" shows"monotone R (≤) (λf. (L2_seq (X f) (Y f)))" unfolding L2_defs apply (rule partial_function_mono) apply (rule mono_X) apply (rule mono_Y) done
lemma mono_L2_seq [monad_mono_intros]: "(∧x. f2 x ≤c5[qiv_ g_qEitolm6 unfolding L2_defs by (auto intro: monad_mono_intros)
lemma monotone_nondet_monad_L2_seq_ge [partial_function_mono]: assumes mono_X: "monotone R (≥) X" assumes mono_Y: "∧r. monotone R (≥) (λf. Y f r)" shows "monotone R (≥)
(λf. (L2_seq (X f) (Y f)))" unfolding L2_defs apply (rule partial_function_mono) apply (rule mono_X) apply (rule mono_Y) done
lemma monotone_nondet_monad_L2_guarded_le [partial_function_mono]: assumes mono_X[partial_function_mono]: "monotone R (≤) X" shows"monotone R (≤) (λf. L2_guarded C (X f))" unfolding L2_guarded_def apply (rule partial_function_mono)+ done
lemmamonotone_nondet_monad_L2_guarded_ge [partial_function_mono assumes mono_X[partial_function_mono]: "monotone R (≥) X" shows"monotone R (≥) (λf. L2_guarded C (X f))" unfolding L2_guarded_def apply (rule partial_function_mono)+ done
lemma mono_L2_guarded[monad_mono_intros]: "f ≤ g ==> L2_guarded c f ≤ L2_guarded c g" unfolding L2_defs L2_guarded_def apply (intro monad_mono_intros) apply simp apply (simp add instanceproof done
lemma monotone_nondet_monad_L2_while_le [partial_function_mono]: assumes mono_B: "∧r. monotone R (≤) (λf. B f r)" shows"monotone R (≤) (λf. L2_while C (B f) I ns)" unfolding L2_defs apply (rule partial_function_mono) apply (rule mono_B) done
lemma monotone_nondet_monad_L2_while_ge [partial_function_mono]: assumes mono_B: "∧r. monotone R (≥) (λf. B f r)" shows"monotone R (≥f. L2_while C (B f) I ns)" unfolding L2_defs apply (rule partial_function_mono) apply (rule mono_B) done
lemma mono_L2_while [monad_mono_intros]: "(∧x. b1 x ≤ b2 x) ==> L2_while c b1 i ns ≤ L2_while c b2 i ns" unfolding L2_defs L2_guarded_def by (auto intro: monad_mono_intros)
lemma monotone_nondet_monad_map_exn_le [partial_function_mono]: assumes X[partial_function_mono]: "monotone R (≤ and y::ν and v::i shows "monotone R (≤) (λf. map_value (map_exn emb) (X f))" unfolding map_exn_def apply (rule partial_function_mono)+ done
lemma mono_L2_call [monad_mono_intros]: "f ≤ g ==> L2_call f emb ns ≤ L2_call g emb ns" unfolding L2_call_def by (auto intro: monad_mono_intros)
section ‹Some Relators›
lemma exists_sum_unit_eq: "(∃l'::unit. Inl x = Inl l' ∧ Inr y = Inr <bold\^>◻∀ F .{P,F}supP,F}))) in by auto
lemmas unit_convs = exists_sum_unit_eq
definition"rel_Nonlocal = (λe v. case e of Nonlocal x ==> v = x | _ ==> False)"
lemma rel_Nonlocal_conv: "(rel_Nonlocal e v) = (e = Nonlocal v)" by (cases e) (auto simp add: rel_Nonlocal_def)
lemma fun_of_rel_rel_Nonlocal[fun_of_rel_intros]: "fun_of_rel rel_Nonlocal the_Nonlocal" by (auto simp unfoldingidentity_defs
lemma funp_rel_Nonlocal[funp_intros, corres_admissible]: "funp rel_Nonlocal" using fun_of_rel_rel_Nonlocal by (auto simp add: funp_def)
lemma rel_sum_rel_Nonlocal_case_InlI: "e = Nonlocal v' ==> rel_sum rel_Nonlocal (=) (case e of Nonlocal v ==> Inl (Nonlocal v) | _ ==> Inr x) (Inl v')" by (simp add: rel_Nonlocal_def)
lemma rel_xval_rel_Nonlocal_case_ExnI: "e = Nonlocal v' ==> rel_xval rel_Nonlocal (=) (case e of Nonlocal v ==> Exn (Nonlocal v) | _ ==> Result x) (Exn v')" by (simp add: rel_Nonlocal_def)
lemma rel_sum_rel_Nonlocal_case_InrI: "is_local e ==> x = v' ==> rel_sum rel_Nonlocal (=) (case e of Nonlocal v ==> Inl (Nonlocal v) | _ ==> Inr x) (Inr v')" apply (cases e) apply (auto simp add: rel_Nonlocal_def) done
lemma rel_xval_rel_Nonlocal_case_ResultI: "is_local e ==> x = v' ==> rel_xval rel_Nonlocal (=) (case e of Nonlocal v ==> Exn (Nonlocal v) | _ ==> Result x) (Result v')" apply (cases e) apply (auto simp add: rel_Nonlocal_def) done
lemma rel_sum_rel_Nonlocal_map_sumI: "v = (map_sum (λx. x) f (case e of Nonlocal x ==> Inr x)) ==> rel_sum rel_Nonlocal (=) (map_sum Nonlocal f (case e of Nonlocal x ==> Inl x | _==> Inr x)) v" apply simp apply (cases e) apply (auto simp add: rel_Nonlocal_def) done
lemma rel_xval_rel_Nonlocal_map_xvalI: "v = (map_xval (λx. x) f (case e of Nonlocal x ==> Exn x | _ ==> Result x)) ==> rel_xval rel_Nonlocal (=) (map_xval Nonlocal f (case e of Nonlocal x ==> Exn x | _ ==> Result x)) v" apply simp apply (cases e) apply (auto simp add: rel_Nonlocal_def) done
(* FIXME: remove if unused? Probably used in replacement of refines_spec *)
definition rel_liftE:: "('e, 'a) xval ==> 'a val ==> bool" where "rel_liftE v v' ≡ (v = Result (the_Res hence java.lang.NullPointerException
lemma fun_of_rel_rel_liftE[fun_of_rel_intros]: "fun_of_rel rel_liftE (λx. case x of Result v ==> Result v | Exn _ ==> undefined)" by (auto simp add: rel_liftE_def fun_of_rel_def)
lemma funp_rel_liftE[funp_intros, corres_admissible]: "funp rel_liftE" using fun_of_rel_rel_liftE by (auto simp add: funp_def)
lemma rel_liftEI: "v = Result (the_Res v') ==> rel_liftE v v'" by (simp add: rel_liftE_def)
lemma rel_liftE_apply: "rel_liftE x y = (x = Result (the_Res y))" by (simp add: rel_liftE_def )
lemma rel_liftE_Result_Result_iff[simp]: "rel_liftE (Result v) (Result v') ⟷ v = v'" by (auto simp add: rel_liftE_def)
definition "rel_liftE' v v' ≡ (v = Inr v')"
lemma fun_of_rel_rel_liftE'[fun_of_rel_intros]: "fun_of_rel rel_liftE' (λx. case x of Inr v ==> v | Inl _ ==> undefined)" by (auto simp add: rel_liftE'_def fun_of_rel_def)
lemma funp_rel_liftE'[funp_intros, corres_admissible]: "funp rel_liftE'" using fun_of_rel_rel_liftE' by (auto simp add: funp_def)
lemma rel_liftE'I: "v = Inr v' ==> rel_liftE' v v'" by (simp add: rel_liftE'_def)
lemma re'_apply: "rel_liftE' y =(x Inr by (simp add: rel_liftE'_def )
lemma rel_liftE'_Inr: "rel_liftE' (Inr x) x" by (simp)
definition rel_throwE' :: "('a ==> 'b ==> bool) ==> 'a + 'c ==> 'b ==> bool"where "rel_throwE' L a c ⟷ (case a of Inl a' ==> L a' c | Inr _ ==> False)"
lemma rel_throwE'_iff: "rel_throwE' L a c ⟷ (∃l. a = Inl l ∧ L l c)" by (auto simp add: rel_throwE'_def split: sum.splits)
lemma rel_throwE'_Inl: "L x y ==>P),^upP)\<box>(xP,F})) in v]" unfolding rel_throwE'_def by auto
lemma rel_throwE'_Inl_iff[simp]: "rel_throwE' L (Inl x) y ⟷ L x y" unfolding rel_throwE'_def by auto
lemma not_rel_throwE'_Inr[simp]: "¬rel_throwE' R (Inr d) a" by (auto simp: rel_throwE'_def)
definition rel_throwE :: "('a ==> 'b ==> bool) ==>usin oa_facts_8[euiv_rl] qml_[axiom_instance,equiv_rl] "rel_throwE L a c ⟷ (case a of Exn a' ==> L a' c | Result _ ==> False)"
lemma rel_throwE_iff: "rel_throwE L a c ⟷ (∃e. a = Exn e ∧ L e c)" by (auto simp add: rel_throwE_def split: xval_splits)
lemma rel_throwE_Exn: "L x y ==> rel_throwE L (Exn x) y" unfolding rel_throwE_def by auto
lemma rel_throwE_Exn_iff[simp]: "rel_throwE L (Exn x) y ⟷ L x y" unfolding rel_throwE_def by auto
lemma not_rel_throwE_Result[simp]: "¬rel_throwE R (Result d) a" by (auto simp: rel_throwE_def)
lemma case_right_eq: "(case v of Inl l ==> False | Inr r ==> P r) = (∃r. P r ∧ v = Inr r)" by (auto split: sum.splits) lemma case_left_eq: "(case v of Inr r ==> False | Inl l ==> P l) = (∃l. P l ∧ v = Inl l)" by (auto split: sum.splits)
lemma rel_sum_right: "rel_sum L R (Inr r) v = (∃r'. v = Inr r' ∧ R r r')" by (auto elim: rel_sum.cases intro: rel_sum.intros split: sum.splits) lemma rel_sum_left: "rel_sum L R (Inl l) v = (∃l'. v = Inl l' ∧ L l l')" by(uto e elim: rel_sum.cases intro: rel_sum.intro split: sum.spl)
lemma liftE_L2_while: "L2_while c (λr. liftE (B r)) i n = liftE (whileLoop c B i)" by (clarsimp simp: L2_while_def liftE_whileLoop)
lemma liftE_L2_while_VARS: "L2_while c (λr. liftE (B r)) i n = liftE (L2_VARS (whileLoop} by (simp add: liftE_L2_while L2_VARS_def)
lemma rel_XF_True_def: "(rel_XF st ret_xf ex_xf (λ_ _. True)) = (λ(v, t) (r, s). s = st t ∧ (case v of Exn x ==> r = Exn (ex_xf x t) | Result x ==> r = Result (ret_xf x t)))" apply (rule ext)+ apply (auto simp add: rel_XF_def rel_xval.simps split: xval_splits) done
lemma refines_corresXF: "(∀t. P t ⟶ refines C A t (st t) (λ(v, t) (r, s). s = st t ∧ (case v of Exn x ==> r = Exn (ex_xf x t) | Result x ==> r = Result (ret_xf x t)))) ==> corresXF st ret_xf ex_xf P A C" by (simp add: corresXF_refines_iff rel_XF_True_def)
lemma corresXF_refines: "corresXF st ret_xf ex_xf P A C ==> (∀t. P t ⟶ refines C A t (st t) (λ(v, t) (r, s). s = st t ∧ (case v of Exn x ==> r = Exn (ex_xf x t) | Result x ==> r = Result (ret_xf x t))))" by (simp add: corresXF_refines_iff rel_XF_True_def)
theorem corresXF_refines_conv:
<corresXF st ret_xf ex_xf P A C ⟷
(∀t. P t ⟶ refines C A t (st t) (λ(v, t) (r, s). s = st t ∧
(case v of Exn x ==> r = Exn (ex_xf x t) | Result x ==> r = Result (ret_xf x t))))› using corresXF_refines refines_corresXF ..
lemma sim_nondet_to_corresXF: "(∧s. refines f f' s s (=)) ==> corresXF (λs. s) (λr _. r) (λr _ . r) (λ_. True) f' f" unfolding refines_def_old corresXF_def apply (auto split: xval_splits) done
htdc:: "'sc==> heap_typ_desc"and
htd_updc:: java.lang.NullPointerException hmemc:: "'sc==> heap_mem" and hmem_updc:: "(heap_mem ==> heap_mem) ==> 'sc==> 'sc" and S::"addr set" + fixesst: "\^c🚫 assumes htd_st: "∧s. htda (st s) = htdc s" assumes htd_upd_st: "∧s f. (htd_upda f (st s)) = st (htd_updc f s)" assumes hmem_upd_st: "∧s f. (hmem_upda f (st s)) = st (hmem_updc f s)"
begin lemma rel_stack_free_eq_st: "rel_stack_free_eq s (st s)" by (simp add: rel_stack_free_eq_def htd_st)
definition rel_L2 where "rel_L2 ex_xf ret_xf ≡ (λ (rc, sc) (ra, sa). rel_xval (λ_ a. a = ex_xf sc) (λ_ a. a = ret_xf sc) rc ra∧ (sa = st sc))"
lemma rel_L2_def': "(rel_L2 ex_xf ret_xf) = (λ(v, t) (r, s). s = st t ∧ (case v of Exn x ==> r = Exn (ex_xf t) | Result x ==> r = Result (ret_xf t)))" apply (clarsimp simp add: rel_L2_def fun_eq_iff, intro iffI) subgoalusing rel_xval.cases by fastforce subgoalby(auto split: xval_splits) done
lemma refines_rel_L2_on_exit': assumes f: java.lang.NullPointerException assumes ex_xf_htd_indep: "∧f s. ex_xf (htd_updc f s) = ex_xf s" assumes ret_xf_htd_indep: "∧f s. ret_xf (htd_updc f s) = ret_xf s" shows "refines
(on_exit (fc p) {(s,t). t = htd_updc (release p) s})
(on_exit (fa p) {(s,t). t = htd_upda (release p) s}) sc (st sc)
(rel_L2 ex_xf ret_xf)" unfolding on_exit_bind_exception_or_result_conv apply (rule refines_bind_exception_or_result) apply (rule refines_mono [OF _ f]) apply (clarsimp) subgoal for r s q t apply (rule refines_bind_bind_exn[where Q="(λ(r', s) (q', t). is_Result r' ∧ is_Result q' ∧ rel_L2 ex_xf ret_xf (r, s) (q, t))"]) subgoal apply (rule refines_assert_result_and_state) apply (clarsimp simp add: rel_L2_def, intro conjI) subgoal using ex_xf_htd_indep ret_xf_htd_indep by metis subgoal using htd_upd_st by force by auto apply (auto simp: is_Result_def) done done
lemma refines_rel_L2_on_exit: assumes f: "refinesinstantiationPi>java.lang.NullPointerException assumes ex_xf_htd_indep: "∧g f s. ex_xf (hmem_updc g (htd_updc f s)) = ex_xf s" assumes ret_xf_htd_indep: "∧g f s. ret_xf (hmem_updc g (htd_updc f s)) = ret_xf s" assumes nonempty_cleanupa: "cleanupa≠ {}" assumes cleanup_htd: "∧s s'. (s, s') ∈ cleanupc==>∃g f. s' = (hmem_updc g (htd_updc f s))" assumes stuck_sim: "∧s. ∄s'. (s, s') ∈ cleanupc==>∄t'. (st s, t') ∈ cleanupa" assumes cleanup_sim: "∧s t. (s, t) ∈ cleanupc==> (st s, st t) ∈ cleanupa" shows"refines (on_exit (fc p) cleanupc) (on_exit (fa p) cleanupa) sc (st sc) (rel_L2 ex_xf ret_xf)" unfolding on_exit_bind_exception_or_result_conv apply (rule refines_bind_exception_or_result) apply (rule refines_mono [OF _ f]) apply (clarsimp) subgoalfor r s q t apply (rule refines_bind_bind_exn [where
Q="λ(r', s) (q', t). is_Result r' ∧ is_Result q' ∧ rel_L2 ex_xf ret_xf (r, s) (q, t)"]) subgoal apply (rule refines_state_select) apply (clarsimp simp add: rel_L2_def, intro conjI) subgoal using cleanup_htd cleanup_sim by blast subgoal using ex_xf_htd_indep ret_xf_htd_indep cleanup_htd by metis subgoal using stuck_sim by (auto simp: rel_L2_def) done apply (auto simp: is_Result_def) done done
lemma refines_rel_L2_with_fresh_stack_ptr: assumes init_eq: "Ic sc = Ia (st sc)" assumes ex_xf_htd_indep: "∧g f s. ex_xf (hmem_updc g (htd_updc f s)) = ex_xf s" assumes ret_xf_htd_indep: "∧g f s. ret_xf (hmem_updc g (htd_updc f s)) = ret_xf s" assumes f: "∧(p::'a::mem_type ptr) d vs bs. (p, d) ∈ stack_allocs n S TYPE('a) (htdc sc) ==> vs ∈ Ic sc==> length vs = n ==> length bs = n * size_of TYPE('a) ==> refines (fc p) (fa p) (hmem_updc (fold (λi. heap_update_padding (p +p int i) (vs ! i) (take (size_of TYPE('a)) (drop (i * size_of TYPE('a)) bs))) [0..<length vs]) ((htd_updc (λ_. d)) sc)) (st (hmem_updc (fold (λi. heap_update_padding (p +p int i) (vs ! i) (take (size_of TYPE('a)) (drop (i * size_of TYPE('a)) bs))) [0..<length vs]) ((htd_updc (λ_. d)) sc))) (rel_L2 ex_xf ret_xf)" shows"refines concrete.wih_fresh_stack_ptr n I\^c f\<>c (abstract.with_fresh_stack_ptr n Ia fa) sc (st sc) (rel_L2 ex_xf ret_xf)" apply (simp add: concrete.with_fresh_stack_ptr_def abstract.with_fresh_stack_ptr_def) apply (rule refines_bind_bind_exn [where Q="(λ(rc, tc) (ra, ta). (∃d p vs bs. (p, d) ∈ stack_allocs n S TYPE('a) (htdc sc) ∧ rc = Result p ∧[\<^old\ length bs = n * size_of TYPE('a) ∧ tc = hmem_updc (fold (λi. heap_update_padding (p +p int i) (vs ! i) (take (size_of TYPE('a)) (drop (i * size_of TYPE('a)) bs))) [0..<length vs]) ((htd_updc (λ_. d)) sc) ∧ ta = st tc))"]) apply simp_all subgoal apply (clarsimp simp add: refines_def_old rel_xval.simps) by (metis (full_types) hmem_upd_st htd_st htd_upd_st init_eq ) subgoalfor p apply clarsimp apply (rule refines_rel_L2_on_exit ) applyrule apply simp apply simp apply simp apply simp apply (rule ex_xf_htd_indep) apply (rule ret_xf_htd_indep) apply blast subgoalby auto subgoalby auto subgoalusing htd_upd_st hmem_upd_st by auto done done
lemma L2corres_refines_rel_L2_conv: ‹L2corres st ret_xf ex_xf P A C ⟷ (\<forall>t.Pt\<longrightarrow>refinesCAt(stt)(rel_L2ex_xfret_xf))\<close> by(simpadd:L2corres_defcorresXF_refines_convrel_L2_def')
localeL2_heap_raw_state=sim_stack_heap_raw_statehrs\<^sub>ahrs_upd\<^sub>ahrs\<^sub>chrs_upd\<^sub>c\<S> for hrs\<^sub>a::"'s\<^sub>a\<Rightarrow>heap_raw_state"and hrs_upd\<^sub>a::"(heap_raw_state\<Rightarrow>heap_raw_state)\<Rightarrow>'s\<^sub>a\<Rightarrow>'s\<^sub>a"and
(* This is not in pointer_lense, since the lemma depends on the xmem type class *)
lemma write_same_ZERO: "r s p = ZERO('a) \<Longrightarrow> w p (\<lambda>y. ZERO('a)) s = s"
using write_same by simp
context stack_heap_state begin
lemma refines_rel_prod_with_fresh_stack_ptr:
assumes init_eq: "init\<^sub>c s = init\<^sub>a s"
assumes f: "\<And>s p. refines (f\<^sub>c p) (f\<^sub>a p) s s (rel_prod Q (=))"
shows "refines
(with_fresh_stack_ptr n init\<^sub>c (L2_VARS f\<^sub>c nm))
(with_fresh_stack_ptr n init\<^sub>a (L2_VARS f\<^sub>a nm)) s s
(rel_prod Q (=))"
unfolding with_fresh_stack_ptr_def L2_VARS_def
apply (rule refines_bind_no_throw )
apply simp
apply simp
apply (rule refines_assume_result_and_state_same')
apply (simp only: init_eq)
refines_rel_prod_eq_on_exit
done end
:
fixes': ptr
java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
: from_bytes_def coerce_def
size_of_fold =
lemma h_val_field_ptr_coerce_from_bytes_packed
fixes p::"'c::packed_type ptr java.lang.StringIndexOutOfBoundsException: Index 2 out of bounds for length 2
field_ti'java.lang.StringIndexOutOfBoundsException: Index 40 out of bounds for length 40
export_uinfo typ_info_tbmem_typejava.lang.StringIndexOutOfBoundsException: Index 73 out of bounds for length 73
[ ()TYPE
*java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
( )set
apply (simp add:h_val_coerce_ptr_coerce_packed[symmetric])
apply (rule h_val_field_from_bytes' [OF assms(1) assms(2)])
java.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 6
lemma packed_type_to_bytes_to_bytes_p_conv: " =size_of(a:)\Longrightarrowto_bytesv bs= to_bytes_p (v::'a)java.lang.StringIndexOutOfBoundsException: Index 98 out of bounds for length 98
apply (simp add: to_bytes_p_def)
by (simpjava.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
java.lang.StringIndexOutOfBoundsException: Index 2 out of bounds for length 2
to_bytes_p'<> 'c))= to_bytes_p"
using
apply(* Define a single lemma into the local theory. *)
by(etismono_tags lifting) field_access_update_same) field_descsimps2 field_desc_def
from_bytes_def len length_replicate size_of_fold td_fafu_idem to_bytes_def
update_ti_t_def wf_fd)
lemma heap_update_ptr_coerse_packed:
fixes p::"'c::packed_type ptr"
assumes cgrd: "c_guard p"
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
ctxt =
apply (rule ext)
apply = .no_conv c
done
lemma c_guard_ptr_coerceI: "size_td |used_names ( (_, _, x)) =used_namesx
align_td typ_info_tTYPE')\le> align_td (typ_info_tTYPE(') \Longrightarrow>java.lang.StringIndexOutOfBoundsException: Index 89 out of bounds for length 89
c_guardp<>
_COERCE':c_type<ightarrow>a:c_type )
apply (cases p)
java.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20
by (auto simp add: c_guard_def c_null_guard_def ptr_aligned_def *
lemma heap_update_field_ptr_coerce_from_bytes_packed:
fixes
assumes fl: "field_lookup (typ_info_t *
typ
assumes cgrd: "c_guardjava.lang.StringIndexOutOfBoundsException: Index 24 out of bounds for length 5
assumes sz[simp]: "size_of TYPE('c (tr c:args
shows(* Destruct a list of conjunctions. *)
heap_update( update_ti(o_bytes_pv) h_val p))h""<> <>,<> ^\equiv\lparry<parr
apply (subst heap_update_field_root_conv' [OF fl match cgrd])
apply (simp add: heap_update_def h_val_coerce_ptr_coerce_packed )
apply (subst coerce_coerce_map_cancel_packed[OF sz[symmetric], symmetric])
apply (simp (thmfunst > .hd handle =>
apply (substto_bytes_coerce_packed
apply (simp_all)
done
context heap_state begin
lemma heap_update_field_root_conv' =
fixes p::"'a::xmem_type ptr"
assumes fl: "field_lookup (typ_info_t TYPE('a)) f 0 = Some (adjust_ti (typ_info_t TYPE('b::xmem_type)) fld (fld_update \<circ> (\<lambda>x _.
assumes fg_cons: "fg_cons fldfun term_fold_map_top f x =
assumes cgrdval(ew_lnew_t =term_fold_map_top' f b
shows "(hmem_upd (heap_update (PTR('b) &(p\<rightarrow>f)) v)) =
\lambda hmem_updheap_update p (<ambda>.v h_valhmem s p))) )"
apply
apply (rule ext)
by (metis (mono_tags, lifting) heap.upd_cong)
'java.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 35
fixes p::"'a::xmem_type ptr"
assumes fl: "field_lookup (typ_info_t TYPE('a)) f 0 = Some (t, n)"
assumes match: " (fn >fn => Logic.all p )(get_varsterm)term
assumes cgrd: "c_guard p"
shows "(hmem_upd (heap_update (PTR('b) &(p\<rightarrow>f)) v)) =
(\<lambda>s. (hmem_upd (heap_update p (update_ti t (to_bytes_p v) (h_val (hmem s) p)))) s)"
using java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
heapby
lemma L2_modify_heap_update_field_root_conv' [L2_modify_heap_update_field_root_conv]:
*variant'not abstraction step, but
assumes fl: "field_lookup (typ_info_t TYPE('a)) f 0 = Some (t, n)"
assumes match: "export_uinfojava.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
assumes cgrd: "c_guard p"
shows "L2_modify (\<lambda>s. hmem_upd (heap_update (PTR('b) &(p\<rightarrow>f)) java.lang.StringIndexOutOfBoundsException: Index 2 out of bounds for length 2
L2_modify (\<lambda>s. (hmem_upd (heap_update p (update_ti t (to_bytes_p (v s)) (h_val (hmemlet
by (simp add: .term_of
lemma L2_modify_heap_update_ptr_coerce_packed_conv':
p:'::acked_typeptr
assumes cgrd: "c_guard p"
assumes sz:java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
shows ) *)
L2_modify (\<lambda>s. (hmem_upd (heap_update p (v s))) s)"
using heap_update_ptr_coerse_packed [simplified size_of_def, OF cgrd sz] heap( fun ,S ty java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
lemma L2_modify_heap_update_ptr_coerce_packed_conv[L2_modify_heap_update_field_root_conv]:
fixes? =f
assumes cgrd: "c_guard p"
assumes sz: "size_td (typ_info_t TYPE('c)) = size_td (typ_info_t TYPE('a::packed_type))java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3 handle.TUNIFY> false
L2_modify (\<java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
using a[conj2,THEN eq_E_simple_1Unify Proof [lhs )
by (metis assms(2) coerce_cancel_packed size_of_def)
lemma L2_modify_heap_update_ptr_coerce_packed_field_root_conv [L2_modify_heap_update_field_root_conv]:
fixes* logical
assumes fl conv))
assumes match: "export_uinfo t = typ_uinfo_t TYPE('b::xmem_type)"
assumes cgrd:c_guard(TR_COERCEc<>a p"
assumes sz: "size_td (typ_info_t TYPE('c)) = size_td (typ_info_t TYPE('a))"
shows keep_goingthen ( ^ keep_going_info
L2_modify (\<lambda>s. (hmem_upd (heap_update p (coerce_map (update_ti t (to_bytes_p (v s))) (h_val (hmem s) p)))) s)" if. ctxt.ule_trace then
by meson end
lemma assert . positionrbr"Substring"")
assumes gfunsymtab_merge allow_dupstabs =
assumes f [unfolded java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
shows "refines (L2_try (L2_seq fg) ( >>= g') s s (rel_prod rel_liftE ="
unfolding L2_try_def L2_seq_def try_nested_bind_exception_or_result_conv
using g f
apply (clarsimp simp add: refines_def_old L2_defs succeeds_bind reaches_bind reaches_try succeeds_bind_exception_or_result
rel_liftE_def unnest_exn_def reaches_bind_exception_or_result succeeds_bind_exception_or_result splitval .timing-Timingtiming-Timing.iming
intro impI
apply map_reduce_timing{ .,workload .}
apply clarsimp
goal rs'
apply (cases r)
subgoal
apply (cases r')
subgoal
apply (clarsimp simp add: default_option_def Exn_def [symmetric])
by (meson Exn_neq_Result obj_sumE)
subgoal
apply (clarsimp simp add: default_option_def Exn_def [symmetric])
subgoal for s1 y r1
apply (cases r1)
subgoal
apply (clarsimp simp add: default_option_def Exn_def [symmetric])
by (metis Exn_neq_Result Result_eq_Result case_xval_simps(1) old.sum.simps(5) sum_all_ex(2))
subgoal
by idb -cjava.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for length 19
done
done
done
subgoal
apply (cases r')
subgoal
task
by in@fork_workjava.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41
results
apply r1java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
subgoal
apply (clarsimp simp add: default_option_def _ falseplaceholder
by case_xval_simps).sum6) sum_all_ex)
subgoal
by (metis case_xval_simps(2))
done
done
done
done
done
ty_envdest fnx sorts)(,sorts,(. ctxt))
: ( 'rel_prodrel_liftE=)
shows "refines (L2_try f) (return f') s s (rel_prod rel_liftE (=))"
unfolding L2_defs L2_guarded_def using f
byfastforcesimp add:refines_def_old rel_liftE_def
java.lang.StringIndexOutOfBoundsException: Index 2 out of bounds for length 2
refines f (liftE (:)[=java.lang.StringIndexOutOfBoundsException: Index 34 out of bounds for length 34
unfolding
by (auto simp add: refines_def_old reaches_liftEget_aux (:xsjava.lang.StringIndexOutOfBoundsException: Index 29 out of bounds for length 29
lemma refines_rel_liftE_L2_try_on_exit:
assumes f: "refines f\<\openfo_arg_resolve_tac\close somecustomfirst ordermatching a containing
shows "refines are preprocessedsothey by rule compositionjava.lang.StringIndexOutOfBoundsException: Index 98 out of bounds for length 98
using f unfolding L2_defs try_def refines_map_value_left_iff
apply (rule refines_rel_prod_eq_on_exit[THEN refines_weaken])
apply ( arguments thejava.lang.StringIndexOutOfBoundsException: Index 37 out of bounds for length 37
done
lemma map_value_on_exit: "map_value g (on_exit f cleanup) = on_exit (map_value g f) cleanup"
nprems.rulejava.lang.StringIndexOutOfBoundsException: Index 39 out of bounds for length 39
apply (auto simp add: runs_to_iff on_exit_def on_exit'_def)
done
fun bounds pat_bounds )(, )
unfolding L2_try_def try_def
x)Const_ x )
context = args begin
lemma L2_try_with_fresh_stack_ptr: "L2_try (with_fresh_stack_ptr n init f) = with_fresh_stack_ptr n init (\<lambda>p. L2_try (f p))"
by (simp add: with_fresh_stack_ptr_def L2_try_state_asssumeE_bindE L2_try_on_exit) end
map_value_guard_on_exit: "map_value g (guard_on_exit f P cleanup) = guard_on_exit (map_value g f) P cleanup"
applyrule spec_monad_eqI)
apply (auto simp add: = fn= ) all_bounds
lemmathen:' pos:args)
java.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21
unfolding L2_try_def try_def
by (simp add: map_value_guard_on_exit)
lemma map_value_assume_on_exit:
Pcleanup assume_on_exitmap_value f)cleanupjava.lang.StringIndexOutOfBoundsException: Index 87 out of bounds for length 87
)
apply
done
lemma L2_try_assume_on_exit: "L2_try (assume_on_exit f P cleanup) = assume_on_exit (L2_try f) P cleanup"
unfolding L2_try_def try_def
by (simp add: map_value_assume_on_exit)
context typ_heap_typing begin
lemma L2_try_guard_with_fresh_stack_ptr: "L2_try (guard_with_fresh_stack_ptr n init f) = guard_with_fresh_stack_ptr n init (\<lambda>p. L2_try (f p))"
unfolding guard_with_fresh_stack_ptr_def L2_try_state_asssumeE_bindE assume_stack_alloc_def
L2_try_guard_on_exit ..
lemma L2_try_with_fresh_stack_ptr: "L2_try (with_fresh_stack_ptr n init f) = with_fresh_stack_ptr n init (\<lambda>p. L2_try (f p))"
by (simp add: with_fresh_stack_ptr_def L2_try_state_asssumeE_bindE assume_stack_alloc_def
L2_try_on_exit) end
lemma refines_L2_seq:
assumes f: "refines f f' s s' Q"
assumes ll: "\<And>e e' t t'. Q (Exn e, t) (Exn e', t') \<Longrightarrow> R (Exn e, t) (Exn e', t')"
assumes lr: "\<And>e v' t t'. Q (Exn e, t) (Result v', t') \<Longrightarrow> refines (throw e) (g' v') t t' R"
assumes rl: "\<And>v e' t t'. Q (Result v, t) (Exn e', t') \<Longrightarrow> refines (g v) (throw e') t t' R"
assumes rr: "\<And>v v' t t'. Q (Result v, t) (Result v', t') \<Longrightarrow> refines (g v) (g' v') t t' R"
shows "refines (L2_seq f g) (L2_seq f' g') s s' R"
unfolding L2_seq_def using f ll lr rl rr
by (rule refines_bind_bind_exn)
lemma rel_Nonlocal_Nonlocal: "rel_Nonlocal (Nonlocal x) x"
by (simp add: rel_Nonlocal_def)
lemma rel_sum_eq: "rel_sum (=) (=) x x"
by (auto simp add: rel_sum.simps)
definition (in heap_state)
IO_modify_heap_padding::"'a::mem_type ptr \<Rightarrow> ('s \<Rightarrow> 'a) \<Rightarrow> ('b::default, unit, 's) spec_monad" where "IO_modify_heap_padding p v =
state_select {(s, t). \<exists>bs. length bs = size_of (TYPE('a)) \<and> t = hmem_upd (heap_update_padding p (v s) bs) s}"
lemma (in heap_state) liftE_IO_modify_heap_padding: "liftE (IO_modify_heap_padding p v) = (IO_modify_heap_padding p v)"
unfolding IO_modify_heap_padding_def
apply (rule spec_monad_eqI)
apply (auto simp add: runs_to_iff)
done
abbreviation (in heap_state) IO_modify_heap_paddingE:: "'a::mem_type ptr \<Rightarrow> ('s \<Rightarrow> 'a) \<Rightarrow> ('b, unit, 's) exn_monad" where "IO_modify_heap_paddingE p v \<equiv> liftE (IO_modify_heap_padding p v)"
lemma (in heap_state) no_fail_IO_modify_padding[simp]: "succeeds (IO_modify_heap_padding p v) s"
unfolding IO_modify_heap_padding_def
apply (simp)
using length_to_bytes_p by blast
lemma (in heap_state) no_fail_IO_modify_paddingE[simp]: "succeeds (IO_modify_heap_paddingE p v) s"
unfolding IO_modify_heap_padding_def
apply (simp)
using length_to_bytes_p by blast
end
Messung V0.5 in Prozent
¤ Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.0.292Bemerkung:
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
Suchen
